Archive

Extract timetaken from line

Explorer

Here is my log line
{"line":"2019-12-09T11:40:13.049Z LCS LCE [pool-8-thread-13] INFO i.r.rest.- job:{id=cd254f615c304c028c85c28a3356a432, status=ready, createdOn=1575891540031, timeTaken=73017, lastModified=1575891613048}

I would like to extract timeTaken from the above line and divide that by 60000. What regex should I use.

Tags (1)
0 Karma
1 Solution

Champion

Hi

Try this

| makeresults 
| eval test="{\"line\":\"2019-12-09T11:40:13.049Z LCS LCE [pool-8-thread-13] INFO i.r.rest.- job:{id=cd254f615c304c028c85c28a3356a432, status=ready, createdOn=1575891540031, timeTaken=73017, lastModified=1575891613048}" 
| rex field=test "timeTaken=(?P<timeTaken>\d+)" 
| eval output =tonumber(timeTaken)/60000

View solution in original post

0 Karma

Champion

Hi

Try this

| makeresults 
| eval test="{\"line\":\"2019-12-09T11:40:13.049Z LCS LCE [pool-8-thread-13] INFO i.r.rest.- job:{id=cd254f615c304c028c85c28a3356a432, status=ready, createdOn=1575891540031, timeTaken=73017, lastModified=1575891613048}" 
| rex field=test "timeTaken=(?P<timeTaken>\d+)" 
| eval output =tonumber(timeTaken)/60000

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!